Commands sent to certain applications on a wireless communications device such as a handheld device require authentication, which is accomplished by establishing a trusted, shared secret, for example, a symmetric key, and using this key to either digitally sign or encrypt the commands. The shared secret can be securely established using a mechanism similar to Diffie-Hellman key exchange and SPEKE (Simple Password Exponential Key Exchange). However, SPEKE requires the exchange of an initial shared secret, which seeds the key exchange (activation password). The key exchange must be initiated from the handheld.
A problem sometimes occurs in how the activation password is established between the device and those servers that provide an IS (Internet Service) considering the fact that 1) users may need to set up services that require establishment of a symmetric key using multiple user interfaces, such as browser on the handheld device or browser on a personal computer (PC); 2) a user may not have a physical access to the device, for example, an administrator setting up an account on behalf of a user; and 3) the mailbox is typically not located in the same data center as the IS, and thus, it is more efficient to have the initial key exchange command sent directly to the IS instead of monitoring any IS mailbox for the initial key exchange commands.
Some approaches use a key exchange protocol similar to SPEKE (Simple Password Exponential Key Exchange) to establish a symmetric encryption key between a handheld device and a server. The device, for example, has an application preinstalled to allow activation on an enterprise server. A user calls their IT (Information Technology) administrator and requests that their corporate email account be activated on the device. The IT administrator generates a new activation password, stores the activation password in the server database and communicates this activation password to the user. The user launches the activation application and enters their email address and activation password. The device uses the activation password to seed the SPEKE-like key exchange and transmits the initial key exchange command directly to the user's corporate mailbox. The server monitors the mailbox, extracts the initial key exchange command and proceeds with the key exchange. The subsequent key exchange command contains routing information (for example, a service UID), which allows the device to send all remaining key exchange commands directly to the server, bypassing the mailbox. Another drawback is the necessity of calling a corporate administrator. In a consumer setting, this is not advantageous.